[Samba] Changing expired Samba AD password during Windows login

Kacper Wirski kacper.wirski at gmail.com
Mon Jan 29 18:52:54 UTC 2018

I can only share my experience:

domain with only samba DC's (started from samba 4.4 updated to 4.7 in 
the meantime), windows clients (vista, 7, 8.1 and 10) no problem 
whatsoever, passwords are changed every X days, and users have no 
problem with the procedure (prompt "your password has expired" -> user 
enters new password -> "you password was changed" -> OK) and that's it.

Only samba-tool was used to enforce password policy, I didn't need to 
set anything in GPO in order to make it work.

Only thing that is coming to my mind is maybe an issue with kerberos? I 
know for a fact, that windows since august 2016 requires kerberos to 
change expired password. Other than this I'm sorry.

W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze:
> Ok, so I tried all the suggestions without success.
> Unless I hear back from someone saying it is NOT possible for a user 
> to change an expired password during login from a Domain account on a 
> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev 
> release), then I will proceed with more in-depth troubleshooting, log 
> file debugging, and mock-up VM's in order to determine what is happening.
> Effectively for me, Samba AD is unusable unless users can change an 
> expired password during login like they can when running on a pure 
> Windows Server AD domain.
> Thanks for everyone (anyone?) and their assistance!

More information about the samba mailing list